[8835] in bugtraq
Re: Nlog v1.0 Released - Nmap 2.x log management / analyzing tool
daemon@ATHENA.MIT.EDU (duke)
Sat Dec 26 15:11:49 1998
Date: Fri, 25 Dec 1998 02:08:44 +0000
Reply-To: Bugtraq List <BUGTRAQ@NETSPACE.ORG>
From: duke <duke@VIPER.NET.AU>
To: BUGTRAQ@NETSPACE.ORG
hi,
there is still several security holes in the nlog cgi scripts that allow
arbitary execution of commands..
one such vulnerability is here in rpc-nlog.pl:
$ipaddr = $ENV{'QUERY_STRING'};
$ipaddr =~ s/\n//g;
$ipaddr =~ s/\`//g;
$ipaddr =~ s/\'//g;
$ipaddr =~ s/\|//g;
$ipaddr =~ s/\"//g;
$ipaddr =~ s/\<//g;
$ipaddr =~ s/\>//g;
$rpcdata = `$rpcinfo -p $ipaddr`;
this is insufficient checking as it does not include ; and / for
example, so a user can put in a command separator and execute commands
that way..
duke
>
> n l o g - nmap 2.x log management and analyzer toolkit
> ----------------------------------------------------------------------------
> --
>
> Download and Live Demo at: http://owned.commotion.org/~spinux
>
> >From the README:
> ----------------------------
>
> NLog is a set of PERL scripts for managing and analyzing your nmap 2.0+ log
> files. It allows you to keep all of your scan logs in a single searchable
> database. The CGI interface for viewing your scan logs is completly
> customizable and easy to modify and improve. The core CGI script allows you
> to add your own extension scripts for different services, so all hosts with
> a certain service running will have a hyperlink to the extension script.
>
> An Overview:
> ------------------
>
> Basically this is a multi-purpose web-based nmap log browser. The extension
> scripts allow you to get detailed information about specific services like
> netbios, the RPC services, the finger service, and BIND version of a DNS
> server. It is extremely easy to create your own extensions for things like
> a snmpwalk wrapper, a popper vulnerablility check, etc.
>
> Nlog provides a standard database format to build your own scripts for any
> purpose. Whether to provide a graphical representation of a network or as a
> web based service gateway to an internal network. Included are the example
> CGI scripts, the nmap log to database conversion tool, a sample template for
> building your own PERL scripts, and couple extra scripts for dumping IP's
> from a domain and the like.
>
> A possible use of nlog is for a network administrator who scans his local
> network regularly, to make sure none of the machines are listening on wierd
> ports and that they all are running the services they should be. A cron
> script could scan his internal network, convert the log files to the
> database format and store them on a web server by time or date. The
> adminstrator could then load the nlog search form page preferably protected
> by the normal http authentication methods and run comparisons between
> databases collected on different dates or at different times from anywhere.
> If the web server is on a gateway machine, he could run RPC or finger
> requests on the internal hosts through the CGI interface thus removing his
> need to be on the possibly firewalled or masqued network to check a hosts
> status.
>
> This code is being released under no type of copyright. I only ask that if
> you are to use this in a commercial product, give me credit for the work
> I've done.
>
> --HD
